Ulf Harnhammar of Secunia Research reported a format string flaw in the way
Evolution parses PGP encrypted messages.
It should be possible for a malicious mail message to abuse this flaw to execute
arbitrary code when a user open the mail message.
Red Hat would like to thank Ulf Härnhammar of Secunia Research for finding
and reporting this issue.
Format string flaws are usually detected by FORTIFY_SOURCE which will notice
that the %n is from a writable string and abort. But this wasn't happening when
testing this flaw.
On RHEL5, the user supplied format string is passed to em_format_format_error()
in evolution which calls g_strdup_vprintf from glib2. Unfortunately
g_strdup_vprintf in glib2 uses vasprintf, and vasprintf is a function that is
not fortified. (I'll file a feature request about that and see if we can't get
glibc to fortify vasprintf/asprintf etc.)
Public now on Secunia site, lifting embargo:
evolution-2.10.3-8.fc7 has been submitted as an update for Fedora 7
evolution-2.12.3-3.fc8 has been submitted as an update for Fedora 8
evolution-2.10.3-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
evolution-2.12.3-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: